North Korean Hackers Launch Daily ’Fake Zoom’ Assaults on Crypto Firms — Here’s What You Need to Know
Your next video call could be a multi-million dollar heist.
Security researchers are sounding the alarm on a relentless campaign targeting cryptocurrency companies. The weapon of choice? Sophisticated 'Fake Zoom' attacks, deployed with alarming frequency and traced back to North Korean state-sponsored actors.
The Phish in the Video Feed
Forget clumsy email scams. This operation is surgical. Attackers impersonate colleagues or partners, sending legitimate-looking calendar invites for Zoom, Teams, or Google Meet calls. The link, however, is a trap—a flawless replica of a corporate login portal designed to harvest credentials and bypass multi-factor authentication in real-time.
Once inside, the hackers move fast. They drain wallets, manipulate transactions, and exfiltrate sensitive data before security teams even notice a blip. The attacks aren't sporadic; they're a daily operational tempo for these groups, who reportedly funnel stolen digital assets into the regime's sanctioned weapons programs.
Why Crypto? Follow the (Unregulated) Money
The sector's combination of high liquidity and, let's be honest, sometimes laughable corporate security protocols makes it a perfect target. While traditional finance wrestles with KYC forms, crypto firms are getting cleaned out by a guy pretending to be from HR in a pixel-perfect virtual lobby.
It's a stark reminder that in the race for decentralization, basic operational security often gets left in the dust. The promise of cutting out the middleman is great until the middleman is a hacker with a fake background and your seed phrase.
The threat is persistent, state-funded, and evolving. For an industry built on 'trustless' systems, it turns out you still have to trust someone not to rob you blind during a stand-up meeting. Maybe invest in a webcam—seeing a face still beats funding a missile.
Fake Zoom Meetings Used To Drain Wallets
According to Security Alliance (SEAL) and other researchers, attackers first contact targets through messaging apps such as Telegram. They then invite victims to a video call that looks legitimate.
During the call, the impostors claim there is a problem with sound or video and offer a “fix” — a file or a link that appears to be an official update. When the victim runs the file, malware installs and begins stealing credentials, browser data, and crypto keys.
Several attacks are reported every day, and many follow the same pattern. Researchers say these staged calls let attackers bypass normal caution because people tend to trust someone they see on camera.
SEAL is tracking multiple DAILY attempts by North Korean actors utilizing “Fake Zoom” tactics for spreading malware as well as escalating their access to new victims.
Social engineering is at the root of the attack. Read the thread below for pointers on how to stay secure. https://t.co/2SQGdtPKGx
— Security Alliance (@_SEAL_Org) December 13, 2025
NimDoor, Other Malware Strains Target macOS And Wallets
Based on reports, one strain tied to these schemes is NimDoor, a macOS backdoor that can harvest keychain items, browser-stored passwords, and messaging data.
Security teams LINK NimDoor and related tools to BlueNoroff, a group connected to the Lazarus Group network. BlueNoroff has a long record of attacking crypto firms and exchanges.
Once the malware is in place, wallets have been emptied within minutes. Victims often discover the theft only after seeing outgoing transactions on the blockchain.
Researchers warn that attackers are not simply using fake names. They are also deploying AI-assisted deepfake video and voice tools to impersonate executives or known contacts.
Attackers sometimes send calendar invites that look like genuine meeting requests from platforms such as Calendly, directing targets to attacker-controlled Zoom links.
The level of social engineering makes the calls seem urgent and official, which reduces the time victims take to question what they are being asked to install.
Attackers Target Individuals And Small Firms AlikeReports have disclosed that victims include individual traders, startup employees, and small teams at crypto companies. Losses are concentrated but widespread, with estimates around $300,000,000.
Some victims have lost funds tied to browser wallets and hot wallets; others had recovery phrases captured and used to drain accounts.
Security teams urge quick action when a suspicious update is offered during a remote session: They warn not to run it, verify separately, and treat unsolicited meeting fixes as high risk.
Featured image from Unsplash, chart from TradingView
